User Validation

Hello!

I’m working with Camundo and I noticed something that I would like clarification, in case someone can help me.
Why the API engine allows us to get tasks with non-existent users and I can also get tasks with a user that doesn’t belong to the group that the task was assigned to.
Does the API not have any kind of validation?

Thank you for your attention.

Hi @neilom,

from my experience, the use cases for a tasklist and the API differs a lot. I started a long time ago with the assumtion, that a tasklist application should be as restrictive as possible to guide the task workers. But real life projects showed, that the tasks users want a lot of flexibilty to get their tasks done.

You can use more restrictive task queries to show only certain tasks to the users. And double-check the state of a task, as it is done in the Camunda Tasklist. Here you can only complete a task, if you have claimed it before. But this logic is implemented in the Tasklist.

Hope this helps, Ingo

1 Like

Hello @Ingo_Richtsmeier, thanks for your attention, but I have a question…

API Camunda does not have any validation for user, group or tenant? In HTTP request I can claim for a “potato” the task?

I can build a Frontend with validation, but I would like a confirmation on this issue so I don’t build a wrong frontend.

Thank you for your attention.

Hi @neilom,

Yes. Internally, the assignee and candidate users and groups are just Strings saved in a column in the database.

If you assign a task to a non existing user, no one will find the task to work on it, but the task itself is not lost, just hidden. On the other hand, “potato” can steel a task from somebody else. It is a requirement engineering descision, how to handle these cases. For some groups they are acceptable, others have to avoid them…

Hope this helps, Ingo

2 Likes